↳
In-reply-to
»
One thing about my design here is that it would no longer incorporate "regex"-based rules like OWASP, mostly because my experience thus far has taught me that these rules are kind of overly sensitive, produce false positives and I'm not sure they are really very effective. For example, why is the point of performing SQL injection detection at the Edge using a WAF if you already handle SQL properly in the first place? (seriously does anyone still construct SQL queries by hand with effectively
†Read More
printf
?!)
@prologic@twtxt.net There have always been and there will always be people who have absolutely no clue what theyâre doing. Iâve been 100% one of them when I started. Guaranteed, heaps of new SQL injections are born every single day, numbers rising.
That doesnât justify all the WAF crap in the first place, though. In my opinion itâs just a filthy plaster applied to an injected wound. The software itself must be secure. Otherwise, donât put that shit on the internet. Probably not even operate it at all. Nowhere. Fix it or throw it in the bin.